D-Link AirPremier DWL-2210AP 802.
Contents Package Contents ................................................................................3 LEDs and Connections .........................................................................4 Overview ...............................................................................................5 Features and Benefits ...........................................................................6 Prelaunch Checklist...............................................................................
Package Contents Contents of Package: D-Link AirPremier TM DWL-2210AP 802.11g Wireless Adaptive Access Point Power over Ethernet base unit Power Adapter-DC 48V, 0.4A Power cord Manual and Warranty on CD Quick Installation Guide Ethernet Cable If any of the above items are missing, please contact your reseller. Note: Using a power supply with a different voltage rating than the one included with the DWL-2210AP will cause damage and void the warranty for this product.
LEDs LED stands for light-emitting diode. The DWL-2210AP has 3 LEDs. Power:Solid green light indicates connection. LAN: Blinking green light indicates activity on the Ethernet Port; solid green light indicates connection. WLAN: Blinking green light indicates wireless activity. Connections Pressing the Reset Button restores the DWL-2210AP to its original factory default settings. The LAN Port is Auto-MDI/MDIX.
Overview of the D-Link DWL-2210AP The D-Link DWL-2210AP provides continuous, high-speed access between your wireless and Ethernet devices. It is an advanced, standards-based solution for wireless networking in small and medium-sized businesses. The D-Link DWL-2210AP enables zero-administration wireless local area network (WLAN) deployment while providing stateof-the-art wireless networking features.
Features and Benefits IEEE Standards Support and Wi-Fi Compliance Support for IEEE 802.11b and IEEE 802.11g wireless networking standards. Provides bandwidth of up to 54Mbps* IEEE 802.11g (11Mbps* for IEEE 802.11b) Wi-Fi certification Wireless Features Auto channel selection at startup Transmit power adjustment Wireless Distribution System (WDS) for connecting multiple access points wirelessly.
Features and Benefits (continued) Security Features Inhibit SSID Broadcast Ignore SSID Broadcast Weak IV avoidance Wireless Equivalent Privacy (WEP) Wi-Fi Protected Access (WPA) Advanced Encryption Standard (AES) User based access control with local authentication server Local user database and user life-cycle management MAC address filtering Out-of-the-Box Guest Interface Unique network name (SSID) for the Guest interface Captive portal to guide guests to customized, guest-onl
Features and Benefits (continued) Clustering and Auto-Management (continued) Self-managed access points with automatic configuration synchronization The access points in a cluster periodically check that the cluster configuration is consistent, and check for the presence and availability of the other members of the cluster. The administrator can monitor this information through the user interface. Enhanced local authentication using 802.
Prelaunch Checklist: Default Settings and Supported Administrator/Client Platforms Before you plug in and boot a new access point, review the following sections for a quick check of required hardware components, software, client configurations, and compatibility issues. Make sure you have everything you need ready to go for a successful launch and test of your new (or extended) wireless network.
Prelaunch Checklist Default Settings: Option Default Settings System Name DWL-2210AP User Name admin Related Information “Setting the DNS Name” in “Setting the Ethernet (Wired) Interface” The user name is read-only. It cannot be modified.
Prelaunch Checklist Default Settings (continued): Option Connection Type Default Settings Related Information Dynamic Host Configuration Protocol (DHCP) If you do not have a DHCP server on the Internal network and do not plan to use one, the first thing you must do after bringing up the access point is to change the Connection Type from “DHCP” to “Static IP.” The Guest network must have a DHCP server. Subnet Mask None This is determined by your network setup and DHCP server configuration.
Prelaunch Checklist Default Settings (continued): Option Default Settings Related Information Rate Sets (Mbps) (Basic/Advertised • IEEE 802.1g: 11, 5.5, 2, 1 • IEEE 802.
Prelaunch Checklist Administrator’s Computer Configuration and administration of the D-Link DWL-2210AP is accomplished with the KickStart utility (which you run from the CD) and through a Web-based user interface. The DWL-2210AP must be installed into a DHCP-enabled network in order to use the KickStart utility for configuration. The following table describes the minimum requirements for the administrator’s computer.
Prelaunch Checklist Administrator’s Computer (continued) Required Software or Component Web Browser / Operating System Description Configuration and administration of the D-Link DWL-2210AP is provided through a Web-based user interface hosted on the access point. We recommend using one of the following supported Web browsers to access the access point Administration Web pages: • Microsoft Internet Explorer version 5.5 or 6.
Prelaunch Checklist Wireless Client Computers The D-Link DWL-2210AP provides wireless access to any client with a properly configured Wi-Fi client adapter for the 802.11b and 802.11g modes in which the access point is running. Multiple client operating systems are supported. Clients can be laptops or desktops, personal digital assistants (PDAs), or any other hand-held, portable or stationary device equipped with a Wi-Fi adapter and supporting drivers.
Prelaunch Checklist Wireless Client Computers (continued) Required Software or Component Client Security Settings Description Security should be disabled on the client used to do initial configuration of the access point. If the Security mode on the access point is set to anything other than plain text, wireless clients will need to set a profile to the authentication mode used by the access point and provide a valid username and password, certificate, or similar user identity proof.
Prelaunch Checklist Understanding Dynamic and Static IP Addressing on the D-Link DWL-2210AP When installed in a DHCP network (dynamic IP addressing), the D-Link DWL-2210APs are designed to auto-configure, with very little setup required for the first access point and no configuration required for additional access points subsequently joining a preconfigured cluster.
Prelaunch Checklist Understanding Dynamic and Static IP Addressing Static IP Addressing The D-Link DWL-2210AP ships with a default Static IP Address of 192.168.0.50. (See “Default Settings for the D-Link DWL-2210AP” in this manual.) If no DHCP server is found on the network, the AP retains this static IP address at first-time startup.
Quick Steps for the Setup and Launch of Your Wireless Network Setting up and deploying one or more D-Link DWL-2210APs is in effect creating and launching a wireless network. The KickStart Wizard (for DHCP-enabled networks) and corresponding Basic Settings Administration Web page simplify this process. Here is a step-by-step guide to setting up your D-Link DWL-2210APs and the resulting wireless network.
Quick Steps for Setup Step 1. Unpack the access point (continued) What’s inside the box? • D-Link AirPremier DWL-2210AP 802.11g Wireless Adaptive Access Point • • • • • • Power over Ethernet base unit Power Adapter-DC 48V, 0.4A Power cord Manual and Warranty on CD Quick Installation Guide Ethernet Cable Step 2. Connect the access point to network and power The next step is to set up the network and power connections. 1.
Quick Steps for Setup Step 2. Connect the access point (continued) • If you use a hub, the device you use must permit broadcast signals from the access point to reach all other devices on the network. A standard hub should work fine. Some switches, however, do not allow directed or subnet broadcasts through. You may have to configure the switch to allow directed broadcasts.
Quick Steps for Setup Step 3. Run KickStart Wizard on the CD-ROM to find access points on a DHCP network The DWL-2210AP is DHCP enabled by default. The DWL-2210AP CD-ROM contains the KickStart Wizard to simplify access point configuration on a network with a DHCP server. Use Kickstart only when there is a DHCP server in your network. KickStart Wizard is an easy-to-use utility for discovering and identifying new D-Link DWL-2210APs in a network with a DCHP server.
Quick Steps for Setup Step 3. Run KickStart Wizard (continued) Click Next to search for access points. 2. Wait for the search to complete, or until the KickStart Wizard has found your new access points. If no access points are found, Kickstart indicates this and presents some troubleshooting information about your LAN and power connections. Once you have checked hardware power and Ethernet connections, you can click the Kickstart Back button to search again for access points. 3.
Quick Steps for Setup Step 3. Run KickStart Wizard (continued) 4. Go to the Access Point Administration Web pages by taking the link provided on the KickStart page. KickStart provides a link to the Administration Web pages via the IP address of the first access point of each model.
Quick Steps for Setup Step 4b. Log on to the Administration Web pages without Kickstart, in a non-DHCP network When the DWL-2210AP is installed in a network with no DHCP server, after configuring your computer’s static IP address to be within the IP address range of the DWL-2210AP, you will enter the IP address of the DWL-2210AP into the address field of your web browser; the browser window shown below will appear.
Quick Steps for Setup Step 5. Configure “Basic Settings” Provide a minimal set of configuration information by defining the basic settings for your wireless network. These settings are all available on the Basic Settings page of the Administration Web interface, and are categorized into steps 1-4 on the Web page. For a detailed description of these “Basic Settings” and how to properly configure them, please see “Configuring Basic Settings.” Summarized briefly here, the steps are: 1.
Quick Steps for Setup 4. Start Wireless Networking Click the Update button to activate the wireless network with these new settings. For more information, see “Update Basic Settings” in this manual. Default Configuration If you follow the steps above and accept all the defaults, the access point will have the default configuration described in “Default Settings for the D-Link DWL-2210AP” in this manual.
Configuring Basic Settings The basic configuration tasks are described in the following sections: • Navigating to Basic Settings • Review / Describe the Access Point • Provide Administrator Password and Wireless Network Name • Set Configuration Policy for New Access Points • Update Basic Settings • Summary of Settings • Basic Settings for a Standalone Access Point • Your Network at a Glance: Understanding Indicator Icons 28
Configuring Basic Settings Navigating to Basic Settings To configure initial settings, click Basic Settings. If you use KickStart Wizard to link to the Administration Web pages, the Basic Settings page is displayed by default. Fill in the fields on the Basic Settings screen as described on the following page.
Configuring Basic Settings Review / Describe the Access Point Field Field Description IP Address MAC Address Description Shows IP address assigned to this access point. This field is not editable because the IP address is already assigned (either via DHCP, or statically through the Ethernet (wired) settings as described in “Configuring Guest Interface Ethernet Settings” in this manual. Shows the MAC address of the access point.
Configuring Basic Settings Provide Administrator Password and Wireless Network Name default Field Field Description Administrator Password Description Enter a new administrator password. The characters you enter will be displayed as “*” characters to prevent others from seeing your password as you type. The Administrator password must be an alphanumeric strings of up to 32 characters. Do not use special characters or spaces.
Configuring Basic Settings Set Configuration Policy for New Access Points Field New Access Points Description Choose the policy you want to put in effect for adding New Access Points to the network. • If you choose “are configured automatically”, then when a new access point is added to the network it automatically joins the existing cluster. The cluster configuration is copied to the new access point, and no manual configuration is required to deploy it.
Configuring Basic Settings Update Basic Settings When you have reviewed the new configuration, click Update to apply the settings and deploy the access points as a wireless network. Summary of Settings When you update the Basic Settings, a summary of the new settings is shown along with information about next steps. At initial startup, no security is in place on the access point. An important next step is to configure security, as described in “Configuring Security” in this manual.
Configuring Basic Settings Basic Settings for a Standalone Access Point The Basic Settings tab for a standalone access point indicates only that the current mode is standalone and provides a button for adding the access point to a cluster (group). If you click on any of the Cluster tabs on the Administration pages for an access point in standalone mode, you will be redirected to the Basic Settings page because Cluster settings do not apply to standalone APs.
Managing Access Points and Clusters The D-Link DWL-2210AP shows current basic configuration settings for clustered access points (location, IP address, MAC address, status, and availability) and provides a way of navigating to the full configuration for specific APs if they are cluster members. Standalone access points or those which are not members of this cluster do not show up in this listing.
Managing Access Points and Clusters Navigating to Access Points Management To view or edit information on access points in a cluster, click the Cluster > Access Points tab. Understanding Clustering A key feature of the D-Link DWL-2210AP is the ability to form a dynamic, configurationaware group (called a cluster) with other D-Link DWL-2210APs in a network in the same subnet.
Managing Access Points and Clusters What Kinds of APs Can Cluster Together? A single D-Link DWL-2210AP can form a cluster with itself (a “cluster of one”) and with other D-Link DWL-2210APs. In order to be members of the same cluster, access points must be: • Of the same radio and band configuration (all one-radio, single-band APs; the D-Link DWL-2210AP is a one-radio, single-band AP) • On the same LAN Having a mix of APs on the network does not adversely affect D-Link DWL-2210AP clustering in any way.
Managing Access Points and Clusters Settings Not Shared by the Cluster The few exceptions (settings not shared among clustered access points) are the following most of which, by nature, must be unique: • IP addresses • MAC addresses •Location descriptions •WDS bridges •Ethernet (Wired) Settings, including enabling or disabling Guest access •Guest interface configuration Settings that are not shared must be configured individually on the Administration pages for each access point.
Managing Access Points and Clusters If you click on any of the Cluster tabs on the Administration pages for an access point in standalone mode, you will be redirected to the Basic Settings page because Cluster settings do not apply to standalone APs. When the cluster is full (eight APs is the limit), extra APs are added in standalone mode regardless of the configuration policy in effect for new access points. See “How Many APs Can a Cluster Support?” in this manual.
Managing Access Points and Clusters The progress bar indicates that the system is busy performing an auto-synch of the updated configuration to all APs in the cluster. The Administration Web pages are not editable during the auto-synch. Note that auto-synchronization always occurs during configuration updates that affect the cluster, but the processing time is usually negligible. The auto-synch progress bar is displayed only for longer-than-usual wait times.
Managing Access Points and Clusters The following table describes the access point settings and information display in detail. Modifying the Location Description To make modifications to the location description: 1. Navigate to the Basic Settings tab. 2. Update the Location description in section 1 under “Review Description of this Access Point.” 3. Click Update button to apply the changes. Removing an Access Point from the Cluster To remove an access point from the cluster, do the following. 1.
Managing Access Points and Clusters In some situations it is possible for the cluster to become out of sync. If after removing an access point from the cluster, the AP list still reflects the deleted AP or shows an incomplete display; refer to the information on Cluster Recovery in “Appendix B. Troubleshooting” in this manual.
Managing User Accounts The D-Link DWL-2210AP includes user management capabilities for controlling client access to access points. User management and authentication must always be used in conjunction with the following two security modes, which require use of a RADIUS server for user authentication and management. • IEEE 802.1x mode (see “IEEE 802.
Managing User Accounts Navigating to User Management for Clustered Access Points To set up or modify user accounts, click the Cluster > Users tab. Viewing User Accounts User accounts are shown at the top of the screen under “User Accounts” User name, real name and status (enabled or disabled) are shown. You make modifications to an existing user account by first selecting the checkbox next to a user name and then choosing an action. (See “Editing a User Account” in this manual.
Managing User Accounts Fields Description Real Name For information purposes, provide the user’s full name. There is a 256 character limit on real names. Password Specify a password for this user. Passwords are alphanumeric strings of up to 256 characters. Do not use special characters or spaces. Field Description 2. When you have filled in the fields, click Add Account to add the account. The new user is then displayed in the “User Accounts.
Managing User Accounts This can come in handy in situations where users have an occasional need to access the network. For example, contractors who do work for your company on an intermittent but regular basis might need network access for 3 months at a time, then be off for 3 months, and back on for another assignment. You can enable and disable these user accounts as needed, and control access as appropriate.
Session Monitoring The D-Link DWL-2210AP provides real-time session monitoring information including which clients are associated with a particular access point, data rates, transmit/receive statistics, signal strength, and idle time.
Session Monitoring Understanding Session Monitoring Information The Sessions page shows information on client stations associated with access points in the cluster. Each client is identified by user name and user MAC address, along with the AP (location) to which it is currently connected. To view a particular statistic for client sessions, select an item from the Display drop-down list and click Go.
Session Monitoring Field Description Data Rate (continued) This value should fall within the range of the advertised rate set for the IEEE 802.1x mode in use on the access point. Signal Indicates the strength of the radio frequency (RF) signal the client receives from the access point. The measure used for this is an IEEE 802.1x value known as Received Signal Strength Indication (RSSI), and will be a value between 0 and 100. RSSI is determined by a an IEEE 802.
Setting the Ethernet (Wired) Interface Ethernet (Wired) Settings describe the configuration of your Ethernet local area network (LAN). The Ethernet Settings, including guest access, are not shared across the cluster. These settings must be configured individually on the Administration pages for each access point. To get to the Administration pages for an access point that is a member of the current cluster, click on its IP Address link on the Cluster > Access Points page of the current AP.
Setting the Ethernet (Wired) Interface Navigating to Ethernet To set the wired address for an access point, navigate to the Advanced > Ethernet tab, and update the fields as described in the following pages.
Setting the Ethernet (Wired) Interface Setting the DNS Name Field Description Field DNS Name Description Enter the DNS name for the access point in the text box. This is the host name. It may be provided by your ISP or network administrator, or you can provide your own. The rules for system names are: • This name can be up to 20 characters long. • Only letters, numbers and dashes are allowed. • The name must start with a letter and end with either a letter or a number.
Setting the Ethernet (Wired) Interface Field Description Guest Access By default, the D-Link DWL-2210AP ships with Guest Access disabled. • To enable Guest Access, click Enabled. • To disable Guest Access, click Disabled. Using VLANs for the Guest Network If you enable Guest Access, two virtual LANs (VLANs) will be used: one for the Internal network and one for the Guest network.
Setting the Ethernet (Wired) Interface Configuring Internal Interface Ethernet Settings To configure Ethernet (Wired) settings for the Internal LAN, fill in the fields as described below. Field Field Description Description MAC Address Shows the MAC address for the Internal interface for the Ethernet port on this access point. This is a read-only field that you cannot change. VLAN ID If you configure enable Guest access and configure Internal and Guest networks on “VLANs”, this field will be enabled.
Setting the Ethernet (Wired) Interface Field Static IP Address Description If you chose “Static IP” as the Connection Type, these fields will be enabled. Enter the Static IP Address in the text boxes. Subnet Mask Enter the Subnet Mask in the text boxes. You must obtain this information from your ISP or network administrator. Default Gateway Enter the Default Gateway in the text boxes.
Setting the Wireless Interface Wireless settings describe aspects of the local area network (LAN) related specifically to the radio device in the access point (802.11 Mode and Channel) and to the network interface to the access point (MAC address for access point and wireless network name, also known as SSID).
Setting the Wireless Interface Navigating to Wireless Settings To set the wireless address for an access point, navigate to the Advanced > Wireless tab, and update the fields as described below. The following figure shows the Wireless settings page for a two-radio AP. The Administration Web page for the single-radio AP will look slightly different.
Setting the Wireless Interface Configuring the Radio Interface The radio interface allows you to set the radio Channel and 802.11 mode as described below. Field MAC Addresses (Shown on two-radio AP only) Description Indicates the Media Access Control (MAC) addresses for the interface. A MAC address is a permanent, unique hardware address for any device that represents an interface to the network. The MAC address is assigned by the manufacturer. You cannot change the MAC address.
Setting the Wireless Interface Configuring “Internal” LAN Wireless Settings The Internal Settings describe the MAC Address (read-only) and Network Name (also known as the SSID) for the internal Wireless LAN (WLAN) as described below. Field Description Field Description Field Description MAC Address Shows the MAC address(es) for Internal interface for this access point. This a read-only field that you cannot change.
Setting the Wireless Interface Configuring “Guest” Network Wireless Settings The Guest Settings describe the MAC Address (read-only) and wireless network name (SSID) for the Guest Network as described below. Configuring an access point with two different network names (SSIDs) allows you to leverage the Guest interface feature on the D-Link DWL-2210AP. For more information, see “Setting up Guest Access” in this manual.
Enabling the Network Time Protocol Server The Network Time Protocol (NTP) is an Internet standard protocol that synchronizes computer clock times on your network. NTP servers transmit Coordinated Universal Time (UTC, also known as Greenwich Mean Time) to their client systems. NTP sends periodic time requests to servers, using the returned time stamp to adjust its clock. The timestamp will be used to indicate the date and time of each event in log messages. See http://www.ntp.
Enabling the Network Time Protocol Server Navigating to Time Protocol Settings To enable an NTP server, navigate to the Advanced > Time Protocol tab, and update the fields as described below.
Enabling the Network Time Protocol Server Enabling or Disabling a Network Time Protocol (NTP) Server To configure your access point to use a network time protocol (NTP) server, first enable the use of NTP, and then select the NTP server you want to use. (To shut down NTP service on the network, disable NTP on the access point.) Field Description Field Description Network Time Protocol NTP provides a way for the access point to obtain and maintain its time from a server on the network.
Configuring Security The following sections describe how to configure Security settings on the D-Link DWL-2210AP: • Understanding Security Issues on Wireless Networks • How Do I Know Which Security Mode to Use? • Comparison of Security Modes for Key Management, Authentication and Encryption Algorithms • Does Prohibiting the Broadcast SSID Enhance Security? • Navigating to Security Settings • Configuring Security Settings • Broadcast SSID and Security Mode • Plaintext • Static WEP • IEEE 802.
Configuring Security How Do I Know Which Security Mode to Use? In general, we recommend that on your Internal network you use the most robust security mode that is feasible in your environment. When configuring security on the access point, you first must choose the security mode, then in some modes an authentication algorithm, and whether to allow clients not using the specified security mode to associate.
Configuring Security Following is a list of the security modes available on the D-Link DWL-2210AP along with a description of the key management, authentication, and encryption algorithms used in each mode. We include some suggestions as to when one mode might be more appropriate than another. • When to Use Plain Text • When to Use Static WEP • When to Use IEEE 802.1x • When to Use WPA with RADIUS • When to Use WPA-PSK When to Use Plain Text Plain text mode by definition provides no security.
Configuring Security Key Management Encryption Algorithm User Authentication Static WEP uses a fixed key that is provided by the administrator. WEP keys are indexed in different slots (up to four on the D-Link DWL -2210AP). An RC4 stream cipher is used to encrypt the frame body and cyclic redundancy checking (CRC) of each 802.11 frame. If you set the Authentication Algorithm to Shared Key, this protocol provides a rudimentary form of user authentication.
Configuring Security Key Management IEEE 802.1x provides dynamicallygenerated keys that are periodically refreshed. Encryption Algorithm An RC4 stream cipher is used to encrypt the frame body and cyclic redundancy checking (CRC) of each 802.11 frame. There are different Unicast keys for each station. User Authentication IEEE 802.1x mode supports a variety of authentication methods, like certificates, Kerberos, and public key authentication with a RADIUS server.
Configuring Security Key Management WPA with RADIUS provides dynamically generated keys that are periodically refreshed. Encryption Algorithm • Temporal Key Integrity Protocol (TKIP) • Counter mode/CBC-MAC Protocol (CCMP) Advanced Encryption Standard (AES) There are different Unicast keys for each station. User Authentication Keentication Remote Authentication Dial-In User Service (RADIUS). You have a choice of using the D-Link DWL-2210AP embedded RADIUS server or an external RADIUS server.
Configuring Security If there are older client stations on your network that do not support WPA, you can configure WPA with RADIUS (with Both, CCMP, or TKIP) and check the “Allow non-WPA IEEE 802.1x clients” checkbox to allow non-WPA clients. This way, you get the benefit of IEEE 802.1x key management for non-WPA clients along with even better data protection of TKIP and CCMP (AES) key management and encryption algorithms for your WPA clients. A typical scenario is that one is upgrading a current 802.
Configuring Security Recommendations WPA w/PSK not recommended for use with the D-Link DWL-2210AP when WPA with RADIUS is an option. We recommend that you use WPA with RADIUS mode instead, unless you have interoperability issues that prevent you from using this mode. For example, some devices on your network may not support WPA with EAP talking to a RADIUS server. Embedded printer servers or other small client devices with very limited space for implementation may not support RADIUS.
Configuring Security Navigating to Security Settings To set the security mode, navigate to the Advanced > Security tab, and update the fields as described below. Configuring Security Settings The following configuration information explains how to configure security modes on the access point. Keep in mind that each wireless client that wants to exchange data with the access point must be configured with the same security mode and encryption key settings consistent with access point security.
Configuring Security Field Broadcast SSID Description Select the Broadcast SSID setting by clicking the “Allow” or “Prohibit” radio button. By default, the access point broadcasts (allows) the Service Set Identifier (SSID) in its beacon frames. You can suppress (prohibit) this broadcast to discourage stations from automatically discovering your access point. When the AP’s broadcast SSID is suppressed, the network name will not be displayed in the List of Available Networks on a client station.
Configuring Security The absence of security on the Guest AP is designed to make it as easy as possible for guests to get a connection without having to program any security settings in their clients. For a minimum level of protection on a guest network, you can choose to suppress (prohibit) the broadcast of the SSID (network name) to discourage client stations from automatically discovering your access point. (See also “Does Prohibiting the Broadcast SSID Enhance Security?” in this manual).
Configuring Security Field Transfer Key Index Description Select a key index from the drop-down menu. Key indexes 1 through 4 are available. The default is 1. The Transfer Key Index indicates which WEP key the access point will use to encrypt the data it transmits.
Configuring Security Field Authentication Algorithm Description The authentication algorithm defines the method used to determine whether a client station is allowed to associate with an access point when static WEP is the security mode.
Configuring Security Rules to Remember for Static WEP • All client stations must have the Wireless LAN (WLAN) security set to WEP and all clients must have one of the WEP keys specified on the AP in order to decode AP-to-station data transmissions. • The AP must have all keys used by clients for station-to-AP transmit so that it can decode the station transmissions. • The same key must occupy the same slot on all nodes (AP and clients).
Configuring Security Providing a Wireless Client with a WEP Key If you have a second client station, that station also needs to have one of the WEP keys defined on the AP. You could give it the same WEP key you gave to the first station. Or for a more secure solution, you could give the second station a different WEP key (key 2, for example) so that the two stations cannot decrypt each other’s transmissions.
Configuring Security Example of Using Multiple WEP Keys and Transfer Key Index on Client Stations IEEE 802.1x IEEE 802.1x is the standard defining port-based authentication and infrastructure for doing key management. Extensible Authentication Protocol (EAP) messages sent over an IEEE 802.11 wireless network using a protocol called EAP Encapsulation Over LANs (EAPOL). IEEE 802.1x provides dynamically-generated keys that are periodically refreshed.
Configuring Security If you selected “IEEE 802.1x” Security Mode, provide the following: Field Authentication Server Description Select one of the following from the drop-down menu: • Built-in - To use the authentication server provided with the D-Link DWL-2210AP. If you choose this option, you do not have to provide the Radius IP and Radius Key; they are automatically provided. • External - To use an external authentication server.
Configuring Security WPA with RADIUS Wi-Fi Protected Access (WPA) with Remote Authentication Dial-In User Service (RADIUS) is a Wi-Fi Alliance subset of IEEE 802.11i, which includes Temporal Key Integrity Protocol (TKIP), Counter mode/ CBC-MAC Protocol (CCMP), and Advanced Encryption Standard (AES) mechanisms. This mode requires the use of a RADIUS server to authenticate users, and configuration of user accounts via the Cluster > Users tab.
Configuring Security Field Cipher Suites Description Select the cipher you want to use from the drop-down menu: • TKIP • CCMP (AES) • Both Temporal Key Integrity Protocol (TKIP) is the default. TKIP provides a more secure encryption solution than WEP keys. The TKIP process more frequently changes the encryption key used and better ensures that the same key will not be reused to encrypt data (a weakness of WEP). TKIP uses a 128-bit “temporal key” shared by clients and access points.
Configuring Security Field Authentication Server Description Select one of the following from the drop-down menu: • Built-in - To use the authentication server provided with the DLink DWL-2210AP. If you choose this option, you do not have to provide the Radius IP and Radius Key; they are automatically provided. • External - To use an external authentication server. If you choose this option you must supply a Radius IP and Radius Key of the server you want to use.
Configuring Security WPA-PSK Wi-Fi Protected Access (WPA) with Pre-Shared Key (PSK) is a Wi-Fi Alliance subset of IEEE 802.11i, which includes Temporal Key Integrity Protocol (TKIP), Advanced Encryption Algorithm (AES), and Counter mode/CBC-MAC Protocol (CCMP) mechanisms. PSK employs a pre-shared key. This is used for an initial check of credentials only.
Configuring Radio Settings Updating Settings To apply your changes, click Update. Configuring Radio Settings The following sections describe how to configure Radio Settings on the D-Link DWL2210AP: • Understanding Radio Settings • Configuring Radio Settings • Updating Settings Understanding Radio Settings Radio settings directly control the behavior of the radio device in the access point and its interaction with the physical medium; that is, how/what type of electromagnetic waves the AP emits.
Configuring Radio Settings Navigating to Radio Settings To specify radio settings, navigate to Advanced > Radio tab, and update the fields as described below.
Configuring Radio Settings Configuring Radio Settings Field Field Description Status (On/Off) Mode Description Specify whether you want the radio on or off by clicking On or Off. The Mode defines the Physical Layer (PHY) standard being used by the radio. Select one of these modes: • IEEE 802.11b • IEEE 802.11g Channel The Channel defines the portion of the radio spectrum that the radio uses for transmitting and receiving.
Configuring Radio Settings Field Fragmentation Threshold Description Specify a number between 256 and 2,346 to set the frame size threshold in bytes. The fragmentation threshold is a way of limiting the size of packets (frames) transmitted over the network. If a packet exceeds the fragmentation threshold set here, the fragmentation function will be activated and the packet will be sent as multiple 802.11 frames.
Configuring Radio Settings Field Transmit Power Description Provide a percentage value to set the transmit power for this access point. The default is to have the access point transmit using 100 percent of its power. Recommendations: •For most cases, we recommend keeping the default and having the transmit power set to 100 percent. This is more costefficient as it gives the access point a maximum broadcast range, and reduces the number of APs needed.
Controlling Access by MAC Address Filtering A Media Access Control (MAC) address is a hardware address that uniquely identifies each node of a network. All IEEE 802 network devices share a common 48-bit MAC address format, usually displayed as a string of 12 hexadecimal digits separated by colons, for example FE:DC:BA:09:87:65. Each wireless network interface card (NIC) used by a wireless client has a unique MAC address.
Controlling Access by MAC Address Filtering Navigating to MAC Filtering Settings To enable filtering by MAC address, navigate to the Advanced > MAC Filtering tab, and update the fields as described below.
Controlling Access by MAC Address Filtering Using MAC Filtering This page allows you to control access to D-Link DWL-2210AP based on Media Access Control (MAC) addresses. Based on how you set the filter, you can allow only client stations with a listed MAC address or prevent access to the stations listed. For the Guest interface, MAC Filtering settings apply to both BSSes. On a two-radio AP, MAC Filtering settings apply to both radios.
Load Balancing The D-Link DWL-2210AP allows you to balance the distribution of wireless client connections across multiple access points. Using load balancing, you can prevent scenarios where a single access point in your network shows performance degradation because it is handling a disproportionate share of the wireless traffic.
Load Balancing Specifying Limits for Utilization and Client Associations You can correct for imbalances in network AP utilization by enabling load balancing and setting limits on utilization rates and number of client associations allowed per access point. Load Balancing and QoS Load balancing also plays a part in contributing to Quality of Service (QoS) for Voice Over IP (VoIP) and other such time-sensitive applications competing for bandwidth and timely access to the air waves on a wireless network.
Load Balancing Configuring Load Balancing To configure load balancing, enable “Load Balancing” and set limits and behavior to be triggered by a specified utilization rate of the access point. • To view the current Utilization Rates for access points, click Cluster > Sessions on the Administration Web pages. (See “Session Monitoring” in this manual.
Load Balancing Field Description Utilization for Disassociation Utilization rate limits relate to wireless bandwidth utilization. Provide a bandwidth utilization rate percentage limit for this access point to indicate when to disassociate current clients. When the utilization rate exceeds the specified limit, a client currently associated with this access point will be disconnected. If you specify 0 in this field, current clients will never be disconnected regardless of the utilization rate.
Configuring Queues for Qualty of Service (QoS) The following sections describe how to configure Quality of Service queues on the D-Link DWL-2210AP: • Understanding QoS • QoS and Load Balancing • 802.
Configuring Queues for Qualty of Service (QoS) As with all IEEE 802.11 working group standards, the goal is to provide a standard way of implementing QoS features so that components from different companies are interoperable. The D-Link DWL-2210AP provides QoS based on the Wireless Multimedia Enhancement (WME) specification, which is an implementation of a subset of 802.11e features.
Configuring Queues for Qualty of Service (QoS) A different type of data is associated with each queue. The queue and associated priorities and parameters for transmission are as follows: • Data 0 (bulk). Lowest priority queue, high throughput. Bulk data that requires maximum throughput and is not time-sensitive is sent to this queue (FTP data, for example). • Data 1 (best effort). Medium priority queue, medium throughput and delay. Most traditional IP data is sent to this queue.
Configuring Queues for Qualty of Service (QoS) Each frame includes a source and destination MAC address, a control field with protocol version, frame type, frame sequence number, frame body (with the actual information to be transmitted) and frame check sequence for error detection. The 802.11 standard defines various frame types for management and control of the wireless infrastructure, and for data transmission. 802.11 frame types are (1) management frames, (2) control frames, and (3) data frames.
Configuring Queues for Qualty of Service (QoS) The random backoff used by the access point is a configurable parameter. To describe the random delay, a “Minimum Contention Window” (MinCW) and a “Maximum Contention Window” (MaxCW) is defined. • The value specified for the Minimum Contention Window is the upper limit of a range for the initial random backoff wait time. The number used in the random backoff is initially a random number between 0 and the number defined for the Minimum Contention Window.
Configuring Queues for Qualty of Service (QoS) Navigating to QoS Settings To set up queues for QoS, navigate to the Advanced > QoS tab, and configure settings as described below. Configuring QoS Queues Configuring Quality of Service (QoS) on the D-Link DWL-2210AP consists of setting parameters on existing queues for different types of wireless traffic, and effectively specifying minimum and maximum wait times (via Contention Windows) for transmission.
Configuring Queues for Qualty of Service (QoS) Field Queue Description Queues are defined for different types of data transmitted from AP-to-station: Data 0 (bulk) Lowest priority queue, high throughput. Bulk data that requires maximum throughput and is not time-sensitive is sent to this queue (FTP data, for example).
Configuring Queues for Qualty of Service (QoS) Field Min. Contention Window Description This parameter is input to the algorithm that determines the initial random backoff wait time (“window”) for retry of a transmission. The value specified here in the Minimum Contention Window is the upper limit (in milliseconds) of a range from which the initial random backoff wait time is determined. The first random number generated will be a number between 0 and the number specified here.
Configuring the Wireless Distribution System (WDS) The D-Link DWL-2210AP lets you connect multiple access points using a Wireless Distribution System (WDS). WDS allows access points to communicate with one another wirelessly in a standardized way. This capability is critical in providing a seamless experience for roaming clients and for managing multiple wireless networks. It can also simplify the network infrastructure by reducing the amount of cabling required.
Configuring the Wireless Distribution System (WDS) Using WDS to Bridge Distant Wired LANs In an ESS, a network of multiple access points, each access point serves part of an area which is too large for a single access point to cover. You can use WDS to bridge distant Ethernets to create a single LAN.
Configuring the Wireless Distribution System (WDS) Backup Links and Unwanted Loops in WDS Bridges Another use for WDS bridging, the creation of backup links, is not supported in this release of the D-Link DWL-2210AP. The topic is included here to emphasize that you should not try to use WDS in this way; backup links will result in unwanted, endless loops of data traffic.
Configuring the Wireless Distribution System (WDS) Navigating to WDS Settings To specify the details of traffic exchange from this access point to others, navigate to the Advanced > WDS tab, and update the fields as described below. The following figure shows the WDS settings page for the two-radio AP. The Administration Web page for the one-radio AP will look slightly different.
Configuring the Wireless Distribution System (WDS) Configuring WDS Settings The following notes summarize some critical guidelines regarding WDS configuration. Please read all the notes before proceeding with WDS configuration. • The only security mode available on the WDS link is Static WEP, which is not particularly secure. Therefore, we recommend using WDS to bridge the Guest network only for this release.
Configuring the Wireless Distribution System (WDS) Field Description Local Address Indicates the Media Access Control (MAC) addresses for this access point. A MAC address is a permanent, unique hardware address for any device that represents an interface to the network. The MAC address is assigned by the manufacturer. You cannot change the MAC address. It is provided here for informational purposes as a unique identifier for the access point or interface.
Configuring the Wireless Distribution System (WDS) Field Description Key Type If WEP is enabled, specify the WEP key type: • ASCII • Hex Characters Required Indicates the number of characters required in the WEP key. The number of characters required updates automatically based on how you set Key Length and Key Type. WEP Key Enter a string of characters. If you selected “ASCII”, enter any combination of 0-9. If you selected “HEX”, enter hexadecimal digits (any combination of 0-9 and a-f or A-F).
Configuring the Wireless Distribution System (WDS) 1. Open the Administration Web pages for MyAP1, by entering the IP address for MyAP1 as a URL in the Web browser address bar in the following form: http://IPAddressOfAccessPoint where IPAddressOfAccessPoint is the address of MyAP1. 2. Navigate to the WDS tab on MyAP1 Administration Web pages. The MAC address for MyAP1 (the access point you are currently viewing) will show as the “Local Address” at the top of the page. 3.
Setting up Guest Access Out-of-the-box Guest Interface features allow you to configure the D-Link DWL-2210AP for controlled guest access to an isolated network. You can configure the same access point to broadcast and function as two different wireless networks: a secure “Internal” LAN and a public “Guest” network. Guest clients can access the guest network without a username or password. When guests log in, they see a guest Welcome screen (also known as a captive portal).
Setting up Guest Access 1. Configure the access point to represent two virtually separate networks as described in the section below, “Configuring Internal and Guest VLANs” in this manual. 2. Set up the guest Welcome screen for the guest captive portal as described in the section below, “Configuring the Welcome Screen (Captive Portal)” in this manual. Guest Interface settings are not shared among access points across the cluster.
Setting up Guest Access Configuring the Welcome Screen (Captive Portal) You can set up or modify the Welcome screen guest clients see when they open a Web browser or try to browse the Web. To set up the captive portal, do the following. 1. Navigate to the Advanced > Guest Login tab. 2. Choose Enabled to activate the Welcome screen. 3. In the Welcome Screen Text field, type the text message you would like guest clients to see on the captive portal. 4. Click Update to apply the changes.
Setting up Guest Access Deployment Example In the figure below, the dotted red lines indicate dedicated guest connections. All access points and all connections (including guests) are administered from the same D-Link DWL-2210AP Administration Web pages.
Maintenance and Monitoring The maintenance and monitoring tasks described here all pertain to viewing and modifying settings on specific access points; not on a cluster configuration that is automatically shared by multiple access points. Therefore, it is important to ensure that you are accessing the Administration Web pages for the particular access point you want to configure.
Maintenance and Monitoring Interfaces To monitor wired LAN and wireless LAN (WLAN) settings, navigate to Status > Interfaces on the access point you want to monitor. On a two-radio access point, current wireless settings for both Radio One and Radio Two are shown. On a one-radio access point, settings are shown for one radio. The Interfaces page for a two-radio AP is shown in the following figure. This page displays the current settings of the D-Link DWL-2210AP.
Maintenance and Monitoring Wireless Settings The Radio Interface settings radio Mode, and Channel. Also shown here are MAC addresses (read-only) for internal and guest interfaces. (See “Setting the Wireless Interface” in this manual and “Configuring Radio Settings” in this manual for more information.) If you want to change any of these settings, click the “Configure” link.
Maintenance and Monitoring Statistics To view transmit/receive statistics for a particular access point, navigate to Status > Statistics on the Administration Web pages for the access point you want to monitor. The following figure shows the Transmit / Receive page for a two-radio AP. The Administration Web page for the one-radio AP will look slightly different.
Maintenance and Monitoring This page provides some basic information about the current access point and a real-time display of the transmit and receive statistics for this access point as described in the following table. All transmit and receive statistics shown are totals since the access point was last started. If the AP is rebooted, these figures indicate transmit/receive totals since the reboot. Field Description IP Address IP Address for the access point.
Maintenance and Monitoring Associated Wireless Clients To view the client stations associated with a particular access point, navigate to Status > Associations on the Administration Web pages for the access point you want to monitor. The associated stations are displayed along with information about packet traffic transmitted and received for each station.
Maintenance and Monitoring Rebooting the Access Point For maintenance purposes or as a troubleshooting measure, you can reboot the D-Link DWL-2210AP as follows. 1. Click the Advanced > Reboot tab. 2. Click the Reboot button. The AP reboots.
Maintenance and Monitoring Resetting the Configuration If you are experiencing extreme problems with the D-Link DWL-2210AP and have tried all other troubleshooting measures, use the Reset Configuration function. This will restore factory defaults and clear all settings, including settings such as a new password or wireless settings. 1. Click the Advanced > Reset tab. 2. Click the Reset button. Factory defaults are restored.
Maintenance and Monitoring Upgrading the Firmware As new versions of the D-Link DWL-2210AP firmware become available, you can upgrade the firmware on your devices to take advantages of new features and enhancements. You must do this per access point; you cannot upgrade firmware automatically across the cluster. Keep in mind that a successful firmware upgrade restores the access point configuration to the factory defaults. (See “Default Settings for the D-Link DWL-2210AP” in this manual.
Maintenance and Monitoring The firmware upgrade file supplied must be in the format .upgrade.tar. Do not attempt to use .bin files or files of other formats for the upgrade; these will not work. Update Click Update to apply the new firmware image. Upon clicking Update for the firmware upgrade, a popup confirmation window is displayed that describes the upgrade process. Click OK to confirm the upgrade, and start the process.
Maintenance and Monitoring Neighbors The status page for “neighboring access points” provides real-time statistics for all access points within range of the access point on which you are viewing the Administration Web pages. To view information about other access points on the wireless network, navigate to Status > Neighbors.
Maintenance and Monitoring Information provided on neighboring access points is described in the following table: Field MAC Address Description Shows the MAC address of the neighboring access point. A MAC address is a hardware address that uniquely identifies each node of a network. Beacon Interval Shows the Beacon interval being used by this access point. Beacon frames are transmitted by an access point at regular intervals to announce the existence of the wireless network.
Maintenance and Monitoring Field Band Description This indicates the IEEE 802.11 mode being used on this access point. (For example, IEEE 802.11b and IEEE 802.11g.) The number shown indicates the mode according to the following map: • 2.4 indicates IEEE 802.11b mode or IEEE 802.11g mode Channel Shows the channel on which the access point is currently broadcasting. The Channel defines the portion of the radio spectrum that the radio uses for transmitting and receiving.
Appendix A. Configuring Security Settings on Wireless Clients Typically, users will configure security on their wireless clients for access to many different networks (access points). The list of “Available Networks” will change depending on the location of the client and which APs are online and detectable in that location.
Appendix A: Configuring Security Settings on Wireless Clients • Configuring an External RADIUS Server to Recognize the D-Link DWL-2210AP • Obtaining a TLS-EAP Certificate for a Client Network Infrastructure and Choosing Between Built-in or External Authentication Server Network security configurations including Public Key Infrastructures (PKI), Remote Authentication Dial-in User Server (RADIUS) servers, and Certificate Authority (CA) can vary a great deal from one organization to the next in terms of how
Appendix A: Configuring Security Settings on Wireless Clients Make Sure the Wireless Client Software is Up-to-Date Before starting out, please keep in mind that service packs, patches, and new releases of drivers and other supporting technologies for wireless clients are being generated at a fast pace. A common problem encountered in client security setup is not having the right driver or updates to it on the client.
Appendix A: Configuring Security Settings on Wireless Clients List of available networks will change depending on client location. Each network (or access point) that is detected by the client shows up in this list. (“Refresh” updates the list with current information.) For each network you want to connect to, configure security settings on the client to match the security mode being used by that network.
Appendix A: Configuring Security Settings on Wireless Clients Configuring a Client to Access an Unsecure Network (Plain Text mode) If the access point or wireless network to which you want to connect is configured as “Plain Text” security mode (no security), you need to configure the client accordingly. A client using no security to connect is configured with Network Authentication “Open” to that network and Data Encryption “Disabled” as described below.
Appendix A: Configuring Security Settings on Wireless Clients Configuring Static WEP Security on a Client Static Wired Equivalent Privacy (WEP) encrypts data moving across a wireless network based on a static (non-changing) key. The encryption algorithm is a “stream” cipher called RC4. The access point uses a key to transmit data to the client stations. Each client must use that same key to decrypt data it receives from the access point.
Appendix A: Configuring Security Settings on Wireless Clients . . . then configure WEP security on each client as follows.
Appendix A: Configuring Security Settings on Wireless Clients Authentication Tab Enable IEEE 802.1x authentication for this network Make sure that IEEE 802.1x authentication is disabled (box should be unchecked). (Setting the encryption mode to WEP should automatically disable authentication.) Click OK on the Wireless Network Properties dialog to close it and save your changes.
Appendix A: Configuring Security Settings on Wireless Clients Configuring IEEE 802.1x Security on a Client IEEE 802.1x is the standard defining port-based authentication and infrastructure for doing key management. Extensible Authentication Protocol (EAP) messages sent over an IEEE 802.11 wireless network using a protocol called EAP Encapsulation Over LANs (EAPOL). IEEE 802.1x provides dynamically-generated keys that are periodically refreshed.
Appendix A: Configuring Security Settings on Wireless Clients Enable (click to check) IEEE 802.1x authentication Choose Open Choose WEP Data Encryption mode Enable auto key option Choose Protected EAP (PEAP) . . . then, click “Properties” Disable (click to uncheck) “Validate server certificate” Disable (click to uncheck) option to automatically use Windows logon name and password Choose “secured password (EAPMSCHAP v2)” . . .
Appendix A: Configuring Security Settings on Wireless Clients 1. Configure the following settings on the Association tab on the Network Properties dialog. Association Tab Network Authentication Open Data Encryption WEP Note: An RC4 stream cipher is used to encrypt the frame body and cyclic redundancy checking (CRC) of each IEEE 802.11 frame. this is the same encryption algorithm as is used for Static WEP; therefore, the data encryption method configured on the client for this mode is WEP.
Appendix A: Configuring Security Settings on Wireless Clients IEEE 802.1x Client Using EAP/TLS Certificate Extensible Authentication Protocol (EAP) Transport Layer Security (TLS), or EAPTLS, is an authentication protocol that supports the use of smart cards and certificates. You have the option of using EAP-TLS with both WPA with RADIUS and IEEE 802.1x modes if you have an external RADIUS server on the network to support it. If you want to use IEEE 802.
Appendix A: Configuring Security Settings on Wireless Clients If you configured the D-Link DWL-2210AP to use IEEE 802.1x security mode with an external RADIUS server . . . . . . then configure IEEE 802.1x security with certificate authentication on each client as follows. Choose WEP Data Encryption mode Choose Smart Card/Certificate Enable (click to check) IEEE 802.1x authentication Choose Open Enable auto key option . . .
Appendix A: Configuring Security Settings on Wireless Clients Enable (click to check) “validate server certificate.” Select (check) the name of certificate on this client (downloaded from RADIUS server in a prerequisite procedure) 1. Configure the following settings on the Association tab on the Network Properties dialog. Association Tab Network Authentication Data Encryption Open WEP Note: An RC4 stream cipher is used to encrypt the frame body and cyclic redundancy checking (CRC) of each IEEE 802.
Appendix A: Configuring Security Settings on Wireless Clients 3. Click Properties to bring up the Smart Card or other Certificate Properties dialog and enable the “Validate server certificate” option. Smart Card or other Certificate Properties Dialog Validate Server Certificate Enable this option (click to check the box). Certificates In the certificate list shown, select the certificate for this client. Click OK on all dialogs to close and save your changes. 4.
Appendix A: Configuring Security Settings on Wireless Clients Configuring WPA with RADIUS Security on a Client Wi-Fi Protected Access (WPA) with Remote Authentication Dial-In User Service (RADIUS) is a Wi-Fi Alliance subset of IEEE 802.11i, which includes Temporal Key Integrity Protocol (TKIP), and Counter mode/CBC-MAC Protocol IEEE. This mode requires the use of a RADIUS server to authenticate users, and configuration of user accounts on the access point.
Appendix A: Configuring Security Settings on Wireless Clients If you configured the D-Link DWL-2210AP to use WPA with RADIUS security mode and to use either the Built-in Authentication Server or an external RADIUS server that uses EAP/PEAP . . . First set up user accounts on the access point (Cluster > User Management). . . . . . . then configure WPA security with PEAP authentication on each client as follows.
Appendix A: Configuring Security Settings on Wireless Clients Choose WPA Choose either TKIP or AES for the Data Encryption mode Choose Protected EAP (PEAP) . . . then, click “Properties” Disable (click to uncheck) “Validate server certificate” Disable (click to uncheck) option to automatically use Windows logon name and password Choose “secured password (EAPMSCHAP v2)” . . .
Appendix A: Configuring Security Settings on Wireless Clients 1. Configure the following settings on the Association and Authentication tabs on the Network Properties dialog. Association Tab Network Authentication WPA Data Encryption TKIP or AES depending on how this option is configured on the access point. Note: When the Cipher Suite on the access point is set to “Both”, then TKIP clients with a valid TKIP key and AES clients with a valid CCMP (AES) key can associate with the access point.
Appendix A: Configuring Security Settings on Wireless Clients WPA with RADIUS Client Using EAP-TLS Certificate Extensible Authentication Protocol (EAP) Transport Layer Security (TLS), or EAP-TLS, is an authentication protocol that supports the use of smart cards and certificates. You have the option of using EAP-TLS with both WPA with RADIUS and IEEE 802.1x modes if you have an external RADIUS server on the network to support it. If you want to use IEEE 802.
Appendix A: Configuring Security Settings on Wireless Clients Choose Smart Card or other certificate and enable “Authenticate as computer when info is available” Choose WPA Then click “Properties” Choose either TKIP or AES for the Data Encryption mode Enable (click to check) “Validate server certificate” Select (check) the name of the certificate on this client (downloaded from RADIUS server in a prerequisite procedure) 150
Appendix A: Configuring Security Settings on Wireless Clients 1. Configure the following settings on the Association tab on the Network Properties dialog. Association Tab Network Authentication WPA Data Encryption TKIP or AES depending on how this option is configured on the access point. Note: When the Cipher Suite on the access point is set to “Both”, then TKIP clients with a valid TKIP key and AES clients with a valid CCMP (AES) key can associate with the access point.
Appendix A: Configuring Security Settings on Wireless Clients Configuring WPA-PSK Security on a Client Wi-Fi Protected Access (WPA) with Pre-Shared Key (PSK) is a Wi-Fi Alliance subset of IEEE 802.11i, which includes Temporal Key Integrity Protocol (TKIP), Advanced Encryption Algorithm (AES), and Counter mode/CBC-MAC Protocol (CCMP) mechanisms. PSK employs a pre-shared key for an initial check of client credentials. If you configured the D-Link DWL-2210AP to use WPA-PSK security mode . . . . . .
Appendix A: Configuring Security Settings on Wireless Clients Association Tab Network Authentication WPA-PSK Data Encryption TKIP or AES depending on how this option is configured on the access point. Note: When the Cipher Suite on the access point is set to “Both”, then TKIP clients with a valid TKIP key and AES clients with a valid CCMP (AES) key can associate with the access point. For more information, see Administrators Guide and Online Help on the access point.
Appendix A: Configuring Security Settings on Wireless Clients Configuring an External RADIUS Server to Recognize the D-Link DWL-2210AP An external Remote Authentication Dial-in User Server (RADIUS) server running on the network can support of EAP-TLS smart card/certificate distribution to clients in a Public Key Infrastructure (PKI) as well as EAP-PEAP user account setup and authentication. By external RADIUS server, we mean an authentication server external to the access point itself.
Appendix A: Configuring Security Settings on Wireless Clients The RADIUS server is identified by its IP address and UDP port numbers for the different services it provides. On the current release of the D-Link DWL-2210AP, the RADIUS server User Datagram Protocol (UDP) ports used by the access point are not configurable. (The D-Link DWL-2210AP is hard-coded to use RADIUS server UDP port 1812 for authentication and port 1813 for accounting.) 1.
Appendix A: Configuring Security Settings on Wireless Clients • IP address for the access point. Click Next. 4. For the “Shared secret” enter the RADIUS Key you provided to the access point (on the Advanced >Security page). Retype the key to confirm.
Appendix A: Configuring Security Settings on Wireless Clients 5. Click Finish. The access point is now displayed as a client of the Authentication Server.
Appendix A: Configuring Security Settings on Wireless Clients Obtaining a TLS-EAP Certificate for a Client If you want to use IEEE 802.1x mode with EAP-TLS certificates for authentication and authorization of clients, you must have an external RADIUS server and a Public Key Authority Infrastructure (PKI), including a Certificate Authority (CA), server configured on your network. It is beyond the scope of this document to describe these configuration of the RADIUS server, PKI, and CA server.
Appendix A: Configuring Security Settings on Wireless Clients The Welcome screen for the Certificate Server is displayed in the browser. 3. Click “Request a certificate” to get the login prompt for the RADIUS server. 4. Provide a valid user name and password to access the RADIUS server. The user name and password you need to provide here is for access to the RADIUS server, for which you will already have user accounts configured at this point.
Appendix A: Configuring Security Settings on Wireless Clients 6. Click “Yes” on the dialog displayed to install the certificate. 7. Click “Submit” to complete and click “Yes” to confirm the submittal on the popup dialog.
Appendix A: Configuring Security Settings on Wireless Clients 8. Click “Install this certificate” to install the newly issued certificate on your client station. (Also, click “Yes” on the popup windows to confirm the install and to add the certificate to the Root Store.
Appendix B. Troubleshooting This section provides information about how to solve common problems you might encounter in the course of updating network configurations on networks served by multiple, clustered access points. Cluster Recovery In cases where the access points in a cluster become out of sync or an access point cannot join or be removed from a cluster, the following methods for cluster recovery are recommended.
Appendix B: Troubleshooting The Stop Clustering page for this access point is displayed. Click the Stop Clustering button. Repeat this “stop clustering” step for every access point in the cluster. Table 1: Do not proceed to the next step of resetting any access points until you have stopped clustering on all of them. Make sure that you first “Stop Clustering” on every access point on the subnet, and only then perform the next part of the process of resetting each one to the factory defaults. 2.
Appendix B: Troubleshooting On the Administration UI left-hand tabs, click Advanced > Reset to bring up the Reset page. Click Reset to restore the factory defaults on the access point. (This will clear all of your previous settings, including updated passwords.) Repeat this “reset” step for every access point in the cluster. Table 2: Do not proceed to the next step until you have stopped clustering on all of access points in the preexisting cluster. 3. Refresh the cluster view as follows.
Appendix B: Troubleshooting At this point you should see all previous cluster members displayed in the list. Before proceeding to the last step, verify that the cluster has reformed by making sure all are access points are listed. 4. Review all configuration settings and make modifications as needed. Pay special attention to the security settings because after a reset, Access Points run without any security in place.
Glossary 802 IEEE 802 (IEEE Std. 802-2001) is a family of standards for peer-to-peer communication over a LAN. These technologies use a shared-medium, with information broadcast for all stations to receive. The basic communications capabilities provided are packet-based. The basic unit of transmission is a sequence of data octets (8-bits), which can be of any length within a range that is dependent on the type of LAN.
Glossary 802.11b IEEE 802.11b (IEEE Std. 802.11b-1999) is an enhancement of the initial 802.11 PHY to include 5.5 Mbps and 11 Mbps data rates. It uses direct sequence spread spectrum (DSSS) or frequency hopping spread spectrum (FHSS) in the 2.4 GHz ISM band as well as complementary code keying (CCK) to provide the higher data rates. It supports data rates ranging from 1 to 11 Mbps. 802.11e IEEE 802.11e is a developing IEEE standard for MAC enhancements to support QoS.
Glossary When one access point is connected to a wired network and supports a set of wireless stations, it is referred to as a basic service set (BSS). An extended service set (ESS) is created by combining two or more BSSs. Ad hoc Mode Ad hoc mode is a Wireless Networking Framework in which stations communicate directly with each other. It is useful for quickly establishing a network in situations where formal infrastructure is not required.
Glossary Broadcast A Broadcast sends the same message at the same time to everyone. In wireless networks, broadcast usually refers to an interaction in which the access point sends data traffic in the form of IEEE 802.1x Frames to all client stations on the network. Some wireless security modes distinguish between how unicast, multicast, and broadcast frames are encrypted or whether they are encrypted. See also Unicast and Multicast. Broadcast Address See IP Address.
Glossary CSMA/CA Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA) is a low-level network arbitration/contention protocol. A station listens to the media and attempts to transmit a packet when the channel is quiet. When it detects that the channel is idle, the station transmits the packet. If it detects that the channel is busy, the station waits a random amount of time and then attempts to access the media again. CSMA/CA is the basis of the IEEE 802.11e Distributed Control Function (DCF).
Glossary DOM The Document Object Model (DOM) is an interface that allows programs and scripts to dynamically access and update the content, structure, and style of documents. The DOM allows you to model the objects in an HTML or XML document (text, links, images, tables), defining the attributes of each object and how they can be manipulated. Further details about the DOM can be found at the W3C. DTIM The Delivery Traffic Information Map (DTIM) message is an element included in some Beacon frames.
Glossary Legacy IEEE 802.11b devices cannot detect the ERP-OFDM signals used by IEEE 802.11g stations, and this can result in collisions between data frames from IEEE 802.11b and IEEE 802.11g stations. If there is a mix of 802.11b and 802.11g nodes on the same channel, the IEEE 802.11g stations detect this via an ERP flag on the access point and enable request to send (RTS) and clear to send (CTS) protection before sending data. See also CSMA/CA protocol.
Glossary IBSS An independent basic service set (IBSS) is an Ad hoc Mode Wireless Networking Framework in which stations communicate directly with each other. IEEE The Institute of Electrical and Electronic Engineers (IEEE) is an international standards body that develops and establishes industry standards for a broad range of technologies, including the 802 family of networking and wireless standards. (See 802, 802.1x, 802.11, 802.11a, 802.11b, 802.11e, 802.11f, 802.11g, and 802.11i.
Glossary • The Broadcast Address consists of a host number that is all ones (for example, 192.168.2.255). There are a finite number of IP addresses that can exist. Therefore, a local area network typically uses one of the IANA-designated address ranges for use in private networks. These address ranges are: 10.0.0.0 to 10.255.255.255 172.16.0.0 to 172.31.255.255 192.168.0.0 to 192.168.255.
Glossary connects multiple computers and other network devices such as storage and printers. Ethernet is the most common technology implementing a LAN. Wireless Ethernet (802.11) is another very popular LAN technology (also see WLAN). LDAP The Lightweight Directory Access Protocol (LDAP) is a protocol for accessing online directory services. It is used to provide an authentication mechanism. It is based on the X.500 standard, but less complex.
Glossary Multicast A Multicast sends the same message to a select group of recipients. Sending an e-mail message to a mailing list is an example of multicasting. In wireless networks, multicast usually refers to an interaction in which the access point sends data traffic in the form of IEEE 802.1x Frames to a specified set of client stations (MAC addresses) on the network.
Glossary • Layer 3, the Network layer, defines the how to determine the best path for information traversing the network. Packets and logical IP Addresses operate on the network layer. • Layer 4, the Transport layer, defines connection oriented protocols such as TCP and UDP. • Layer 5, the Session layer, defines protocols for initiating, maintaining, and ending communication and transactions across the network.
Glossary PPP The Point-to-Point Protocol is a standard for transmitting network layer datagrams (IP packets) over serial point-to-point links. PPP is designed to operate both over asynchronous connections and bit-oriented synchronous systems. PPPoE Point-to-Point Protocol over Ethernet (PPPoE) is a specification for connecting the users on a LAN to the Internet through a common broadband medium, such as a single DSL or cable modem line.
Glossary Router A router is a network device which forwards packets between networks. It is connected to at least two networks, commonly between two local area networks (LANs) or between a LAN and a wide-area network (WAN), for example, the Internet. Routers are located at gateways— places where two or more networks connect. A router uses the content of headers and its tables to determine the best path for forwarding a packet.
Glossary SNMP consists of managed devices and their agents, and a management system. The agents store data about their devices in Management Information Bases (MIBs) and return this data to the SNMP management system when requested. SSID The Service Set Identifier (SSID) is a thirty-two character alphanumeric key that uniquely identifies a wireless local area network. It is also referred to as the Network Name. There are no restrictions on the characters that may be used in an SSID.
Glossary TCP The Transmission Control Protocol (TCP) is built on top of Internet Protocol (IP). It adds reliable communication (guarantees delivery of data), flow-control, multiplexing (more than one simultaneous connection), and connection-oriented transmission (requires the receiver of a packet to acknowledge receipt to the sender). It also guarantees that packets will be delivered in the same order in which they were sent.
Glossary URL A Uniform Resource Locator (URL) is a standard for specifying the location of objects on the Internet, such as a file or a newsgroup. URLs are used extensively in HTML documents to specify the target of a hyperlink which is often another HTML document (possibly stored on another computer). The first part of the URL indicates what protocol to use and the second part specifies the IP address or the domain name where that resource is located. For example, ftp://ftp.d-link.com/downloads/myfile.
Glossary WINS The Windows Internet Naming Service (WINS) is a server process for resolving Windowsbased computer names to IP addresses. It provides information that allows these systems to browse remote networks using the Network Neighborhood. Wireless Networking Framework There are two ways of organizing a wireless network: • Stations communicate directly with one another in an Ad hoc Mode network, also known as an independent basic service set (IBSS).
Technical Specifications Standards • IEEE 802.11b • IEEE 802.11g • IEEE 802.3 • IEEE 802.3af • IEEE 802.3u • IEEE 802.3x Device Management • Web-Based – Internet Explorer v6 or later; Netscape Navigator v6 or later; or other Java-enabled browsers. • Telnet • Kickstart Data Rate For 802.11g: • 108, 54, 48, 36, 24, 18, 12, 9 and 6Mbps For 802.11b: • 11, 5.
Technical Specifications (continued) Wireless Operating Range* 802.
Technical Specifications (continued) Transmit Output Power For 802.11b: • 63mW (18dBm) • 40mW (16dBm) • 32mW (15dBm) • 23mW (13dBm) • 10mW (10dBm) • 6mW (7dBm) • 1mW (0dBm) For 802.11g: • 63mW (18dBm) • 40mW (16dBm) • 32mW (15dBm) • 6mW (7dBm) • 1mW (0dBm) Receiver Sensitivity For 802.11b: • 1Mbps: -94dBm • 2Mbps: -90dBm • 5.5Mbps: -88dBm • 11Mbps: -85dBm For 802.11g: • 1Mbps: -94dBm • 2Mbps: -91dBm • 5.
Technical Specifications (continued) LEDs • Power • 10M/100M • WLAN Temperature • Operating: 32ºF to 104ºF (0ºC to 40ºC) • Storing: -4ºF to 149ºF (-20ºC to 65ºC) Humidity • Operating: 10%~90% (non-condensing) • Storing: 5%~95% (non-condensing) Certifications • FCC Part 15 • UL Dimensions • L = 5.59 inches (142mm) • W = 4.29 inches (109mm) • H = 1.22 inches (31mm) Weight • 0.
Techni cal Support echnical You can find software updates and user documentation on the D-Link website. D-Link provides free technical support for customers within the United States and within Canada for the duration of the warranty period on this product. U.S. and Canadian customers can contact D-Link technical support through our web site, or by phone.
Subject to the terms and conditions set forth herein, D-Link Systems, Inc. (“D-Link”) provides this Limited warranty for its product only to the person or entity that originally purchased the product from: • • D-Link or its authorized reseller or distributor and Products purchased and delivered within the fifty states of the United States, the District of Columbia, U.S. Possessions or Protectorates, U.S. Military Installations, addresses with an APO or FPO.
• The original product owner must obtain a Return Material Authorization (“RMA”) number from the Authorized D-Link Service Office and, if requested, provide written proof of purchase of the product (such as a copy of the dated purchase invoice for the product) before the warranty service is provided.
Governing Law: This Limited Warranty shall be governed by the laws of the State of California. Some states do not allow exclusion or limitation of incidental or consequential damages, or limitations on how long an implied warranty lasts, so the foregoing limitations and exclusions may not apply. This limited warranty provides specific legal rights and the product owner may also have other rights which vary from state to state. Trademarks: D-Link is a registered trademark of D-Link Systems, Inc.
Registration Register your D-Link product online at http://support.dlink.
